Category: New Developments

1
New Privacy Enforcement Act commences in Australia
2
Update from the Australia/New Zealand privacy conference and the changes to Australian privacy and cybersecurity laws
3
EU Digital Services Act: Fundamental Changes for Online Intermediaries?
4
Argentina announces upgrades to data protection obligations
5
To pay or not to pay the ransom? Organisations may find their decision easier with government guidance
6
Would mandatory reporting of ransomware payments cause more good or trouble?
7
New Cyber Security Evaluation Tool released by US Homeland Security for organisations to self-test their security systems
8
New US / Aus cross-border data access regime
9
Is ABC’s mandatory login into ABC iview legal?
10
Victorian Government QR Code Service now compulsory for all workplaces and businesses

New Privacy Enforcement Act commences in Australia

By Cameron Abbott, Rob Pulham and Stephanie Mayhew

As of yesterday, the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Privacy Enforcement Act) is now in effect after receiving Royal Assent on 12 December 2022.

As we have previously shared, the Privacy Enforcement Act increases the maximum penalties for serious or repeated privacy breaches. For body corporates/organisations this increases the penalty from the current $2.22 million to whichever is the greater of:

  • $50 million;
  • if the court can determine the value of the benefit that the body corporate, and any related body corporate, have obtained directly or indirectly and that is reasonably attributable to the conduct constituting the contravention—3 times the value of that benefit;
  • if the court cannot determine the value of that benefit—30% of the adjusted turnover of the body corporate during the breach turnover period for the contravention.

The Act also provides the Australian Information Commissioner with greater enforcement powers to enable privacy breaches to be resolved more quickly and efficiently through more effective information-sharing powers.

While the Privacy Act review has been ongoing since 2020 with an increase to the maximum penalties long-expected, the Privacy Enforcement Act was a quick response to recent major data breaches. Attorney-General, Mark Dreyfus stated that “significant privacy breaches in recent months have shown existing safeguards are outdated and inadequate. These reforms make clear to companies that the penalty for a major data breach can no longer be regarded as the cost of doing business”.

This is just the first step in what is likely to be significant amendments to the Privacy Act that will follow from the Attorney General’s Department’s ongoing review.

We expect that the regulator will start to take a far firmer approach to companies failing to secure their customer’s personal information and now carries a big stick to use in that process.

Update from the Australia/New Zealand privacy conference and the changes to Australian privacy and cybersecurity laws

By Cameron Abbott, Rob Pulham and Stephanie Mayhew

We’ve just returned from the annual iapp Australia/New Zealand privacy conference held in Sydney this week, and it was a whirlwind. Even if you’re not one of around half of Australians affected by two of the biggest data breaches in our recent history, you’ll be aware a lot is changing – and a lot more is poised to change – in this space.

We’ll be blogging over the coming weeks about some of the key themes and changes your organisation will need to prepare for, including:

– new regulatory enforcement tools

– higher expectations of the way personal information is collected and secured, and when it needs to be destroyed

– potential removal of key exemptions such as the employee records exemption that your business may currently rely on,

– and of course the major penalty increases that seek to deter privacy breaches being viewed as ‘the cost of doing business’,

as Australia tightens the protections around the collection and use of Australians’ personal information.

Stay tuned!

EU Digital Services Act: Fundamental Changes for Online Intermediaries?

By Claude-Étienne Armingaud, Dr. Ulrike Elteste and Dr. Thomas Nietsch

The European Union has taken another step to set out its new legal framework for online intermediaries. Following the publication of the Digital Markets Act (Regulation (EU) 2022/1925) in the EU Official Journal on 12 October 2022, the Digital Services Act has now also been published in the EU Official Journal as Regulation (EU) 2022/2065.

While the Digital Markets Act focuses on the behavior of large “gatekeepers” towards other businesses, the Digital Services Act aims to fully harmonize the rules on the safety of online services and the dissemination of illegal content online. In particular, its Articles 4 to 10 replace the current provisions on the liability privilege enjoyed by online intermediaries in the eCommerce Directive 2000/31/EC. The privilege as such broadly remains intact, but is punctured in a number of ways. For example, the Digital Services Act encourages preemptive screening and provides that “trusted flaggers” must receive priority in the future. Providers of online platforms that allow consumers to enter into distance contracts with traders must obtain certain minimum information from the traders they admit to their platform. They may have to notify consumers if they become aware that products sold on their platform do not comply with legal requirements.

Again, “very large” online platforms and search engines receive the legislator’s (and the EU Commission’s) special attention. They must comply with additional transparency requirements and analyze and mitigate systemic risks.

But other intermediaries must also timely amend their terms of service, improve their complaint handling, and increase their transparency to avoid fines that can reach 6% of their global turnover. Specifically, online platforms must in the future provide clear information on “each specific advertisement presented to each individual recipient”, including “meaningful information directly and easily accessible from the advertisement about the main parameters used to determine the recipient to whom the advertisement is presented and, where applicable, about how to change those parameters”.

Most obligations bearing on companies subject to the Digital Services Act will start to apply on 17 February 2024. However, all but small online platforms and search engines will be required to publish information on the usage of their services (Statement) on their website, with an initial Statement to be published by 17 February 2023 at the latest. Intermediaries designated as “very large online platforms” or “very large online search engines” by the EU Commission will need to comply with most of their new obligations from four months after being notified of their “very large” status.

Argentina announces upgrades to data protection obligations

By Cameron Abbott, Stephanie Mayhew and Dadar Ahmadi-Pirshahid

Argentina’s Data Protection Authority, the Agency for Access to Public Information (the Agency), has published a draft bill that proposes to bring Argentina’s 22 year old data protection law more in line with the European Union’s General Data Protection Regulation.

Amongst other things, the bill modernises Argentina’s data protection law to deal with more recent issues including cloud computing, biometric and genetic data. It provides greater scope for international transfers of information by allowing transfers under the sanction of adequate data protection guarantees in the absence of a decision by the Agency that the importing country has adequate data protection. It additionally requires Data Controllers to document and notify the Agency of data breaches within 48 hours of becoming aware of a breach.

The draft bill is open for public comment until 30 September 2022. Any entity wishing to submit commentary is encouraged to reach out to K&L Gates to help facilitate the submission process.

To pay or not to pay the ransom? Organisations may find their decision easier with government guidance

By Cameron AbbottRob Pulham and Jacqueline Patishman

The Cyber Security Advisory Committee (an industry based advisory panel established by the Minister for Home Affairs to provide independent strategic advice on Australia’s cyber security challenges) has recommended in its annual report that the federal government develop a clearer policy position on the payment of ransoms by organisations that have suffered ransomware attacks.

Read More

Would mandatory reporting of ransomware payments cause more good or trouble?

By Cameron AbbottWarwick Andersen and Jacqueline Patishman

Last month, the federal opposition (Shadow Assistant Minister for Cyber Security) introduced the private member’s Ransomware Payments Bill (the Bill) that proposes to make it mandatory for all Australian businesses and government agencies to notify the Australian Cyber Security Centre (ACSC) before paying a ransom to a ransomware attacker. Failure to notify will attract a penalty of 1,000 penalty units ($181,740).

Read More

New Cyber Security Evaluation Tool released by US Homeland Security for organisations to self-test their security systems

By Cameron AbbottWarwick Andersen and Jacqueline Patishman

The United States Department of Homeland Security has developed the Cyber Security Evaluation Tool (CSET) which provides a systematic (and repeatable) process that critical infrastructure asset owners can use to assess and improve their cyber security management systems. This tool has a particular focus on the security of industrial control systems and information networks.

Read More

New US / Aus cross-border data access regime

By Cameron AbbottWarwick Andersen and Jacqueline Patishman

The Telecommunications Legislations Amendment (International Orders) Bill 2020 has just cleared both houses of parliament. The new bill establishes a reciprocal cross-border data access regime between the United States and Australia which will allow for cross-border communications between foreign governments for national security and law enforcement purposes.

Read More

Is ABC’s mandatory login into ABC iview legal?

By Cameron AbbottWarwick Andersen and Jacqueline Patishman

From July 1 all users of ABC’s on demand platform iview will be required to log in (and to have an account) to use the platform. It’s been reported that the former federal Privacy Commissioner, Malcolm Crompton, has been pushing to reverse the ABC’s decision, arguing that because the ABC is publically funded, Australians shouldn’t have to pay for content (which we have already paid for) with our data. 

Read More

Victorian Government QR Code Service now compulsory for all workplaces and businesses

By Cameron AbbottRob Pulham and Jacqueline Patishman

All Victorian workplaces businesses and venue operators must now use the free Victorian Government QR Code Service (or use a third-party system that links back to the government’s interface) to meet their contact tracing obligations.

Read More

Copyright © 2023, K&L Gates LLP. All Rights Reserved.